Malware that Foils Two-Factor Authentication
This is an interesting article about a new breed of malware that also hijack’s the victim’s phone text messaging system, to intercept one-time passwords sent via that channel.
Page 461
Pre-9/11 NSA Thinking
This quote is from the Spring 1997 issue of CRYPTOLOG, the internal NSA newsletter. The writer is William J. Black, Jr., the Director’s Special Assistant for Information Warfare.
Specifically, the focus is on the potential abuse of the Government’s applications of this new information technology that will result in an invasion of personal privacy. For us, this is difficult to understand. We are “the government,” and we have no interest in invading the personal privacy of U.S. citizens.
This is from a Seymour Hersh New Yorker interview with NSA Director General Michael Hayden in 1999:
When I asked Hayden about the agency’s capability for unwarranted spying on private citizens—in the unlikely event, of course, that the agency could somehow get the funding, the computer scientists, and the knowledge to begin making sense out of the Internet—his response was heated. “I’m a kid from Pittsburgh with two sons and a daughter who are closet libertarians,” he said. “I am not interested in doing anything that threatens the American people, and threatens the future of this agency. I can’t emphasize enough to you how careful we are. We have to be so careful—to make sure that America is never distrustful of the power and security we can provide.”
It’s easy to assume that both Black and Hayden were lying, but I believe them. I believe that, 15 years ago, the NSA was entirely focused on intercepting communications outside the US.
What changed? What caused the NSA to abandon its non-US charter and start spying on Americans? From what I’ve read, and from a bunch of informal conversations with NSA employees, it was the 9/11 terrorist attacks. That’s when everything changed, the gloves came off, and all the rules were thrown out the window. That the NSA’s interests coincided with the business model of the Internet is just a—lucky, in their view—coincidence.
Lessons from Biological Security
Nice essay:
The biological world is also open source in the sense that threats are always present, largely unpredictable, and always changing. Because of this, defensive measures that are perfectly designed for a particular threat leave you vulnerable to other ones. Imagine if our immune system were designed to deal only with a single strain of flu. In fact, our immune system works because it looks for the full spectrum of invaders low-level viral infections, bacterial parasites, or virulent strains of a pandemic disease. Too often, we create security measures such as the Department of Homeland Security’s BioWatch program that spend too many resources to deal specifically with a very narrow range of threats on the risk spectrum.
Advocates of full-spectrum approaches for biological and chemical weapons argue that weaponized agents are really a very small part of the risk and that we are better off developing strategies like better public-health-response systems that can deal with everything from natural mutations of viruses to lab accidents to acts of terrorism. Likewise, cyber crime is likely a small part of your digital-security risk spectrum.
A full-spectrum approach favors generalized health over specialized defenses, and redundancy over efficiency. Organisms in nature, despite being constrained by resources, have evolved multiply redundant layers of security. DNA has multiple ways to code for the same proteins so that viral parasites can’t easily hack it and disrupt its structure. Multiple data-backup systems are a simple method that most sensible organizations employ, but you can get more clever than that. For example, redundancy in nature sometimes takes the form of leaving certain parts unsecure to ensure that essential parts can survive attack. Lizards easily shed their tails to predators to allow the rest of the body (with the critical reproductive machinery) to escape. There may be sacrificial systems or information you can offer up as a decoy for a cyber-predator, in which case an attack becomes an advantage, allowing your organization to see the nature of the attacker and giving you time to add further security in the critical part of your information infrastructure.
I recommend his book, Learning from the Octopus: How Secrets from Nature Can Help Us Fight Terrorist Attacks, Natural Disasters, and Disease.
Secrecy and Privacy
Interesting article on the history of, and the relationship between, secrecy and privacy.
As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes too late. The horse is out of the barn. The post office has opened your mail. Your photograph is on Facebook. Google already knows that, notwithstanding your demographic, you hate kale.
MAD in Cyberspace
Rod Beckstrom gives a talk (video and transcript) about “Mutually Assured Destruction,” “Mutually Assured Disruption,” and “Mutually Assured Dependence.”
Spear Phishing Attack Against the Financial Times
Interesting story with a lot of details.
The Future of Satellite Surveillance
Pretty scary—and cool.
Remember, it’s not any one thing that’s worrisome; it’s everything together.
Friday Squid Blogging: How the Acidification of the Oceans Affects Squid
It’s not good.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Me on the Lou Dobbs Show
I was on the Lou Dobbs Show earlier this week.
Sidebar photo of Bruce Schneier by Joe MacInnis.